This study addresses a state-sponsored cyberattack conducted by a Pakistani APT group during India’s “Operation Sindoor,” wherein remote access trojans (RATs) were deployed against critical infrastructure via malware. To detect such advanced threats, we propose a detection framework grounded in tactical-technical pattern analysis. Methodologically, we design a lightweight Osquery-based telemetry collection system augmented with custom extensions to capture high-fidelity endpoint behavioral logs, map observed activities to MITRE ATT&CK tactics and techniques, and introduce an extensible, behavior-driven detection rule set. Experimental evaluation demonstrates successful identification of multiple RAT implantation events, achieving high detection accuracy and low false-positive rates, while enabling rapid integration into existing defensive architectures. Key contributions include: (1) the first systematic characterization of this APT’s TTPs; (2) a lightweight, operational detection paradigm tailored for nation-state RATs; and (3) open-sourcing of customized Osquery extensions and detection rules—collectively enhancing proactive APT discovery and incident response capabilities.

Rapid digitization of critical infrastructure has made cyberwarfare one of the important dimensions of modern conflicts. Attacking the critical infrastructure is an attractive pre-emptive proposition for adversaries as it can be done remotely without crossing borders. Such attacks disturb the support systems of the opponents to launch any offensive activities, crippling their fighting capabilities. Cyberattacks during cyberwarfare can not only be used to steal information, but also to spread disinformation to bring down the morale of the opponents. Recent wars in Europe, Africa, and Asia have demonstrated the scale and sophistication that the warring nations have deployed to take the early upper hand. In this work, we focus on the military action launched by India, code-named Operation Sindoor, to dismantle terror infrastructure emanating from Pakistan and the cyberattacks launched by Pakistan. In particular, we study the malware used by Pakistan APT groups to deploy Remote Access Trojans in Indian systems. We provide details of the tactics and techniques used in the RAT deployment and develop a telemetry framework to collect necessary event logs using Osquery with a custom extension. Finally, we develop a detection rule that can be readily deployed to detect the presence of the RAT or any exploitation performed by the malware.